CISO Perspective: Sean Catlett, Slack CISO

View Show Notes and Transcript

Episode Description

What We Discuss with Sean Catlett:

  • 00:00 Introduction
  • 03:17 Sean’s Professional Background
  • 05:17 Communicating with the board effectively
  • 07:03 Does a CISO have to be technical?
  • 09:52 B2B vs B2C
  • 14:38 CISO vs CIO focused on security
  • 17:22 Vulnerabilities found on CSPs
  • 19:35 What surprises Sean about attackers?
  • 21:47 Training teams on starting business initiatives
  • 23:30 Biggest Challenges for Cybersecurity Leaders
  • 27:42 Pathway to becoming a CISO
  • 30:24 Opportunities in a CISO role
  • 33:08 Skills towards becoming a CISO
  • 36:22 Future of Cybersecurity
  • 39:24 The Fun Section

THANKS, Sean Catlett!

If you enjoyed this session with Sean Catlett, let him know by clicking on the link below and sending him a quick shout out at Linkedin:

Click here to thank Sean Catlett at Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode

Ashish Rajan: [00:00:00] Hello, sheet. This is the post I’ll say conference versions of everyone who’s came and said hello at the RSA event and to pitch, we’re really welcoming. We felt very welcoming and warm feelings from all, all of. So that was really awesome. Thank you. So today we are bringing back what we haven’t done for some time, with a CISO perspective. 


This time it is, before I say the name, I probably should introduce the person with some that intro music. Cause that’s what we do as our tradition is over here. So let’s get this music going and. 


Hey, how’s it going, man? How are you? Good, man. I love the way you basically kinda like vet I don’t know what the genre, it’s only really electronic, but I’d love to buy it as well of the. 


Sean Catlett: Absolutely. Yeah, no,, you gotta get those songs to kind of get you pumped up, so 


Ashish Rajan: yeah, totally. Well, they’re all pumped up as well. 


Maybe before we start, if you could, for people who may not know you at the one or two people in the audience who may not know you if you can just give yourself a, a brief intro about yourself, that would be awesome. 


Sean Catlett: Yeah. Great. So Sean Catlett, a chief security officer here at slack been here about two years and previous to that was the first CISO for a Reddit and then a number of different jobs in the [00:01:00] security space from, security startups and FinTech firms. 


Ashish Rajan: Awesome. And I love the fact that you actually came from a varied background, which we get into from a, from a business perspective as well, but considering its Cloud Security Podcast as well. 


We kind of have this question, which you ask everyone as a leader, where does cloud security mean? 


Sean Catlett: For me, it’s been an interesting cause it’s been and , how you kind of stay current, my career arc and journey I’ve been from, , large first party data center build outs and multi-company kind of global technology. 


Companies. And what’s great about, , from our perspective on cloud is, , you’ve got the speed component that I think is so important, but it also, from a leadership standpoint, you also have to deal with that speed. , there’s a compression and just the amount of time to create capabilities, that works on both sides, both on what you want to create as well as what’s being created around you. 


And I just find that. 


Ashish Rajan: It’s pretty awesome. So I think what you’ve touched on is very interesting because as a CISO, I imagine having conversation with w at a board level also comes with the challenge of explaining something, which is quite technical to, as you said, as well, going at a fast speed producing more [00:02:00] products. 


How does a leader, I guess, these days, how does it have. And making board understand the risk behind, say something like cloud supply chain, just some of the buzzwords of the, I wouldn’t say buzzword, but these are topical at the moment. So how does one explain these technical? I, at least in your experience, these technical topics. 


Sean Catlett: Well, I think you need kind of both halves of your brain. , I think you have to be both a technical and business oriented , for two reasons. I think that the demands of the job kind of pull you in those directions. I mean, you have to. Be able to, to speak up in a business aligned way, , understanding the business that you’re in, how your company makes money. 


I mean, it sounds simple, but I think a lot of times we can get very removed from that and actually just think about the security roles, missions, attackers, defenders, and I think to really speak to a board, you’ve got to be able to really understand what are they looking to do? How are they looking to guide the organization? 


What can you do to keep them. Were able to make good decisions, make sure you’re absolutely factual. And so that I think needs some technical depth, because you’d have to make sure that you’ve asked the right [00:03:00] questions of your team, of your business, of the metrics before you get there. You don’t want to be doing this. 


And and I think a really important part is that you have to be able to retain like attract and retain the people that you need. And I think that you can really only do that with with the technical skills to be able to help kind of break down projects and programs and to meaningful parts and get people really energized about what they’re trying to build. 


Ashish Rajan: Yeah. And I think you, right, you’ve kind of touched on something that I’m really always curious about. A lot of people are saying that the role for CISO is slowly turning more technical, like previously. A lot of other leaders could transition on those CISO role because I guess the rumor was well, it’s a security project, so it’s not really that hard. 


I can just manage security. I can manage other projects. I can manage a security project. Do you find that these days it’s actually that far from the truth, that if you’re not technical, it would be harder to do a job as a CISO in today’s day. 


Sean Catlett: I do believe that that’s true, but there’s a balance. I think that it really is I think dependent on the company is dependent on what you’re there to protect. 


I think that there are definite roles where maybe it’s less important and there’s more [00:04:00] important to understand the regulatory environment or privacy or something that may be a little bit different than like a, maybe a deeper technical role. However, I think it can’t hurt to have those skills. 


I think if you balance that with the business skills and you’ll see that a lot, and I get into conversations with executives about how we, as a security or, , know leadership team or organization, or even industry don’t explain things well that we don’t actually connect with the business. And so I think, being able to, to translate those skills, that’s, what’s going to be really, really important. 


I don’t, I just don’t think you can go get budget. If you don’t have the business skills, if you don’t understand how how your business is operating. And so then you’re not going to have the people that you need, even if you’re, , really excellent on the technical side, to be able , to articulate things, , maybe downward or outward. 


But I, I’ve not heard people describe these jobs as easy. So I’m interested in who you’re talking to. 


Ashish Rajan: who would forever be unnamed, I guess as someone who’s coming in saying, I always thought the CISO needed to be technical, but I guess to your point, technical and business oriented, is that right? 


Sean Catlett: Absolutely. Yeah. I think that , at the end of the day, , and there’s so many different ways to be technical. I think that [00:05:00] that’s really important to call out. I think that , what I’ve seen coming up to the bay area is as a much greater focus on. Having been, or currently being a software engineer as background I’m a little bit different than that. 


That’s actually not my background at all. It’s something that I’ve had to kind of pick up and learn over time. But I think that, , taking somebody out of that environment and putting them into maybe a large financial services or, , Beijing environment or, HIPAA compliant like medical devices, they, they might struggle there because they’ve not seen maybe a broader perspective around those. 


Exist in any business, , threat detection, vulnerability management, et cetera, that you must be somewhat technical for. Oh 


Ashish Rajan: yeah. Sweet. Hopefully that answers the question, but feel free to keep your comments and towards coming in as well on the live chat. So maybe talking about different kinds of businesses, you have sounds like you mentioned Reddit, you mentioned slack as well. 


Very different. Like I think I don’t know if actually it has a business offering, but sounds like a B2C versus a B2B. How different is cybersecurity and to go you earlier about different kinds of businesses require different kinds of security as well. How different is the B2C security [00:06:00] was a B2B security, I guess, 


Sean Catlett: it’s funny because I think the B2C environment , they’re similar in some veins, but I think one is just like, the style is very different than how you commute. 


Risk to like your customers. So I think of communicating, security issues or , changes to the way that the product works that may, may impact, , their experience security or privacy in a B2C space. You really have to think like really far in advance. And this is where they’re probably like super similarities and analogs, but they’re just very different than how they actually operate. 


So you have to give an example from. To communicate a lot of what we wanted to communicate around misinformation around the changes that we were going to be making in the product to improve the way that , security and trust and safety and privacy , were being rolled out. 


We created a separate, , community as you would with Reddit, but it was basically a know company specific blog of Reddit security. So we had an avenue to communicate, but if we had not done that. It’s extremely challenging of like, , how do I find the reach to really notify people effectively of changes that are being made? 


How do I get their feedback? How do I make sure that we’re working in and around that? And then [00:07:00] pivot that to B2B where you need to do the same thing, but those are contractual relationships you already know. And there’s probably a support model of customers around how you communicate. But I think the principles are the same. 


I think that, , being transparent is something that. Really champions on each of my roles, making sure that we’re out there, we’re communicating clearly with customers and that we’re, , educating them about , the changes that we’re making so that they can better protect themselves. 


Ashish Rajan: I’m actually curious, is there a I guess if I were to put a challenge, scale is a challenge of explaining security, hardware and consumer space versus a bit like an enterprise business. 


Sean Catlett: I don’t know that you could say, which is harder. I think that they both had just come with their own different challenges. I mean, the one assumption that you can’t make is that , your users while they may not all understand everything that you’re putting out there, sometimes that’s like, , that’s on what, you’re, what you’re able to communicate, the language that you use. 


But your customers are extremely intelligent. They know a lot, especially as the wisdom of crowds, right. Of what they need, what signals they listened to for you to get to gain trust and breaking that trust. You can do that with[00:08:00] , either population, , whether it’s, holding back on information , or not communicating effectively. 


I think that, , those challenges persist, regardless of which business that you are. 


Ashish Rajan: Right and directing, cause I’m thinking more from a team members as vulnerable part of the security team. That would be a lot of them listening to this podcast as well. What I guess from their perspective, what can they. 


Maybe I dunno if you have a respect to one this, but I’m curious, does it change at their level? Like from that from, I guess, safer, I’m just making an example, security engineer, for example, for all that, they’re all would probably remain the similar between a B2C and B2B. It’s mostly at the leadership level that it changes dramatically. 


That the way you would explain security or do you feel. Even at like the ground level for security into the boat. 


Sean Catlett: I think it changes, , you think of where the demand for security comes from. So I think where, , I always felt, and, and kind of the B to C context you, you might be your role, your team. 


So I think that’s where it does matter to the whole team might be the last and only arbiter of whether you got that. , appropriately managed and that you’re there to represent that for for the business. And whereas enterprise customers, , [00:09:00] especially, , businesses, they have a whole other team on the other side, they have expectations. 


So they can be much more challenging because their expectations can be regulatory. They can be. The demands that they have on their business in order to be able to achieve what they’re trying to do. So, there’s a nuance there, but I wouldn’t, I definitely wouldn’t put it either , as easy. 


And I think that, , you really have to instill that with your teams. I think we all do that anyway, as leaders, I just kind of your job. The work that people are doing with the protection that they’re trying to gain for the organization. But I think with with the consumer world, you have to look at like, , somebody building a product and engineering, especially on the security side, after reviews, they may be in a very small group, especially in a smaller company with a large consumer base. 


They may be a very small group making massive decisions. So making sure that they know how to make a decisions that you have good frameworks. I think that’s vitally important. 


Ashish Rajan: Awesome. Great answer as well. By the way, I’ve got a question here from Define and based on your experience, when is the right time for organization to define a CISO role? 


Rather than rely on a CIO, chief focused on security. 


Sean Catlett: Darpan I love your question. , it’s funny when I joined Reddit asked repeatedly, and I kind of kept this and [00:10:00] ask organizations, , is it too early or too late to hire a CISO? Right. And I always a good one to ask if you’re joining by the way, if you’re an aspiring CISO, but I think what’s, , there is a Of the business being ready. 


I think they have to be ready for some investment. I think it’s also interesting the way that so many companies now rely on SAAS and those SAAS products already have some security baked in. And so there’s some leverage that can be gained. Yeah, it was maybe extending a bit further than we have in the past where you had to start building and owning your own solution. 


And , you can’t have no security. And so I think that there’s leverage, especially if folks who are cloud native or leveraging a lot of SAAS to, to have that model. However, , the CISO role is a particular one where you’re, , in many ways. Aligning an organization, you may be centralizing sometimes not and getting the team, I guess the company recognition that they need to be thinking about this. 


I think that’s when that role is really, really important. And so sometimes that’s really early in the life cycle of a business. And other times it can be much, much later because it’s either like kind of natively built into their product and the way that they think about it or their executive [00:11:00] teams, or maybe just the way that there are companies or. 


Ashish Rajan: Awesome. Thanks for the answer. And hopefully that answered your question, but feel free to ask us one of the one Darpan and others as well, or who are listening to the live stream. So talking about the different kinds of SAAS application that you mentioned as well, these days, a lot of people have them or the SAAS providers that even trying to put, provide security features as well. 


Another kind of, almost like a SAAS is in my mind, are the Cloud service providers. Now cloud-based providers, , we’ve all been using them for awhile. And for a long time, there was not that many vulnerbilities that came out for each of the cloud service providers. But so the question around, can we trust the cloud was usually followed by, Hey, when was the last time you heard about a vulnerability . 


But unfortunately, or fortunately for them over the last seven, eight months, there have been a lot of, they say a lot more on AWS and some on Azure and some on on GCP, they have been vulnerabilities found. Do you feel that the cloud service provider could be doing a bit more to gain trust for leaders? 


Cause I imagine kind of like not just leaders like you and I, but the board is also the reading all this and to us talking [00:12:00] about earlier that, Hey, we need to explain the business, why technical risks. Do you feel the cloud says what? I have a responsibility of some sort, or maybe what is your reaction to the whole I guess, vulnerabilities coming out and does that question that trust that you have in the. 


Sean Catlett: Well, I think there’s a few things and this could be , any business. I don’t know that it’s specific to cloud providers, but I think it’s just really, really important in particular , for all of them and anybody built on SAAS, I say a lot transparency has competence being able to. 


I believe in the shared services, , in the shared responsibility model. However, I think that it’s , we could do more to blur that line a little bit with the information that’s provided around those kinds of black box solutions that are being sold. And I think , when things like vulnerabilities come out. 


Need to be solved, being very clear about what was affected, how fast they were fixed, what the companies need to do to, , on their side when they started. So they could protect themselves. If they were vulnerable, you have to remember that you have other people leveraging your own capabilities. And so I think that that’s really an important aspect, but it, additionally, the terminology, I think for when you look at trust, [00:13:00] especially like the board or CIO is looking to. 


Workloads into the cloud. We really have to get some standardization at the industry level for the terminology that’s used for a lot of these products, because when you call the same thing, different things, it just slows things down, ? And I think, we, as a broader community can help that , with some standardization that would make it easier for you to know, okay, I know what this is leveraging. 


I understand this container. So Sharon, and then I understand, , the controls that would be built around. Yes, you can need product names and everyone needs to be selling something. I get that, but it’s very challenging to map some of those and understand where it starts and stops. And then, , the patchwork of solutions that you need, , where you have , coverage. 


So I think that that’s a really, really bored. 


Ashish Rajan: No good point. And also talking about people who are not being transparent, I guess, are attackers, I guess who probably sometimes don’t even share what they found after being in the industry for such a long time. What surprises you the most in terms of the kind of attacks that are happening these days? 


Like, no, I don’t know. I imagine floppy disk attacks or whatever, but something that you want to see in when you were sliding off, but what’s something that still surprises [00:14:00] you about attackers in today’s. 


Sean Catlett: Well, there’s three things for me. And I think the first is the continued, like professionalization and model modularization of , their business, which is like, if you think of like the ransomware businesses, the, , blank insert attack for hire, or almost SAAS , of attacker infrastructure and services I think. 


That’s fascinating to me that those capabilities, you see some of the leaks about, , certain organizations and then, learning how they’ve had similar challenges that we all have with running a business, , and getting the services they need getting the skills. I think that that’s, that’s one side, which like professionalism. 


And then on the other side, I think just the continued every few years, just extremely brash nature of some threat actor that goes and takes down and targets. , extremely large parts of whether it’s tech infrastructure or organizations. And I just, again, find that, fascinating. 


And the piece that I I’ve been thinking about lately is and this is related to something else I hope we get to talk about, but , these attackers are able to get trained to such skill levels. And I know the old outages of like the, , we have to be right every time. And then after you write one set, but at the end of [00:15:00] the day, there’s something that they are doing right. 


And how they are able to pass. Technical knowledge and knowledge of the targets and the things that they’re doing in a way that I think is really important for us to think about like how we grow organically, the folks that we train and that we have inside the industry. And so I always just intrigued at how they’re able to do that at such scale. 


Ashish Rajan: Yep. And that’s a great question. Oh, it’s a great way to look at this because I, yeah, to your point, a lot of people don’t realize that attackers these days, that aren’t individuals, they are actually full organizations to what he was saying as well. They’re businesses that they’re doing operations at a global scale, probably using Bitcoin or some kind of cryptocurrency to operate that as well. 


So it’s a great answer. One question from Dutch as well. Do you have any tips on how to train your teams on starting with business initiatives and then applying through security? I don’t see a lot of engagement at the manager and director level with their peers and sales, operations, HR, legal marketing, et cetera. 


How do we better cultivate that? 


Sean Catlett: Thanks Dutch . I, , one of the things that I learned very early on in my career and this was actually all the way back to my bank of America days, I think they did an incredible job and trying to [00:16:00] onboard so many people, right? I mean, at that point we were like, we were reaching to close to 300,000 employees. 


And so the scale of making sure that the company trains its people effectively they had a whole program, which was just how the bank. And they would walk through and then go through their products. And I’ve always taken that in any business of like, okay, how do I break that down? Like, how do we know that? 


Because , that you have to protect that, , that you then have to protect all the data and the systems that come from that, , core channel of how the company is going to make money. And so I think that’s really, really important. And then I think you’re kind of answered the question with the second part of your question there. 


I think it is through your leaders being pushed to really engage. Beyond the security team to really learn how those other groups operate and then think through what other, what are their critical data assets? What are the systems they use? Are those systems secure? Cause many times they may have gone far a field to use a solution, maybe, especially in a fast growing place that maybe wasn’t. 


Fully thought through, maybe it’s old, maybe it hasn’t been used in years, , maybe it hasn’t been re-reviewed and anytime that you can spend some time, make something more effective unblocked and other team, [00:17:00] you just build that business relationship, which is vitally important. 


Ashish Rajan: Awesome. Thanks for the answer. 


And hopefully that answered your question. Feel free to ask some follow-up one as well. So that kind of is a good segway to my next question, around challenges for a leadership role these days. What are some of the biggest challenges that you’ve see in the cybersecurity space that maybe it’s not being spoken about enough as a leader? 


Sean Catlett: Well, I think it’s being spoken about all the time, as far as how do we, , grow our workforce. We’ve got to figure out solutions for being able to bring in more. , just people into the end of the cybersecurity world on, in all roles. So I think just, in general, and this is at every national level there’s initiatives for there, I think that it’s really, really important to, to figure that out. 


We’ll definitely have some, some thoughts on that topic. But I think also like how we then grow our leaders, right. To reach scale, you’ve got to have leaders that are able to mentor and make time available, so to grow other leaders and, , the last. Got to enable diversity. We have to make sure that we continue to challenge ourselves to not be myopic, because I think at the end of the day, when you think of security, [00:18:00] it’s a, it’s a very well-rounded problem. 


So you need , a well-rounded team to go try to tackle those problems. So it’s each of those has their own particular challenges, but I think that, we’ve got to do well. 


Ashish Rajan: I tell you thoughts on diversity as well, because too, one of the teams that came across from visa at SFN RSA when we were there as well, a lot of conversations around diversity, not just in terms of, I guess, inclusivity and equity, but also in terms of where people were coming from into the cyber security space. 


And Jasmine talks to that as well. 


Sean Catlett: Well, I, , I’ll, I can speak for myself as I got started, , for me it was, I was a biology major because I was down at UCR university of Texas at Austin realized I didn’t want to be in pre-med. I was spending all my time and, , switched over to a business degree just to finish up so I could join a startup. 


And, , online music, really cool, fun stuff. But if you think about that background, if I always think about, if I went today with that background into a role and said, I would like to get this role, this team, this job would I even make it past the readout, the process of processing resumes. 


Right. And so I think for a lot of us, it’s, , making sure that [00:19:00] we’re hiring for attitude and aptitude I do like to see people that have. Going out and tried to work on whether it be capturing the flags or things that kind of demonstrate some analog skills, , for the industry or just a drive to go, , , get trained up and, and work outside of their own discipline. 


, towards ours, by showing training and certifications and things like that at a very early age. But when I went through and I talked to a number of CISOs out at at RSA this last week, it was just, I just triggered in my mind, he was doing another talk and I want to just find out like, what were their backgrounds? 


And so it was, , business biology, history. Civil engineering, biochem, criminal, criminal justice, and public relations. I did actually find some that had cybersecurity degrees. So, so that was good. I was like, oh, you’re, you’re unique. And then, there were a few in computer science and as you’d expect, but , liberal arts and leadership and some, just some places I wouldn’t have expected. 


And this is, , these were mostly, I believe bay areas, CISOs. And so it’s kind of interesting to think, like we’ve all gotten there. What are we doing to enable others? To have those same, , potential [00:20:00] backgrounds. Cause I think that’s, that’s the definition of diversity there as far as like backgrounds and the way that they are able to apply those skills to the problem space we have. 


Ashish Rajan: Wow. It’s a good point as well. Cause I think a few of our listeners, I think a Zinet who was a, the earliest Xena is used to be a lawyer. Now she didn’t have security for quite a few people in our local. I mean, I guess you’re not a space as well or they go, so come upon find the person name, but I know many schools that started with that. 


Background. So there’s already a few people already there, kind of on the same vein. I’ve got a question from Darpan again. When did that you were ready to be a CISO? What led to that realization? Kind of, I guess it’s kind of like aligns with the question that I had about people who want to become CISOs. 


What’s your advice for that? So maybe start with Darwin’s question. 


Sean Catlett: Well, I think imposter syndrome is real. I don’t know that any of us ever really feel like we’re ready, you’re in the job with a label. I think other people ascribe more to it than, than you do. I feel like it’s always a role that’s constantly shifting the expectations, seem to continue to. 


, magnified the lens it’s put on you and your role for all reasons, ? So I don’t know that you ever truly [00:21:00] feel ready. I think for me it was, I had I’d come up through a leadership role. And threat detection. And when I was , able to take a role at a company, and this is why I answered earlier, like it’s really company dependent, where it was really important for them to get somebody that had, , the background and skills and experience that I had to take on that first role, because I was an external hire into a CIO role versus an internal promotion. 


So, , that takes a lot of. , trust on both sides on, , making sure that you do and can demonstrate the skills also really acknowledging where you are still learning and the skills you’re trying to gain. But I think, , I’d say the first time where you feel ready for it you’re probably ready for another job, it’s something where you’re really challenged all the time and that’s, I think what keeps you really at least for me mentally, Around the roles that we that we do, but I’m not sure I answered your question, but a little bit of, 


Ashish Rajan: well, I think you did kind of in a lot of ways. 


And I think I just find out who the person is as is Barbara Kramer. She’s she’s got a few comments as well. I know many athletes that started with a [00:22:00] computer background could be that we are seeing more certifications programs coming. I sized that really is really pushing your training. So it seems like a few ways why people are trying to get into the space as well, but thanks for the comments as well, Barbara, but to to come back to they’re posting about, I guess, becoming CISO. 


When do having done this for some time, and I’d love to hear your thoughts on, do you think it’s easy than frustration and everything that, cause it’s almost like a. It almost managing an entire business on your own as well. In a lot of ways, it’s, it’s, it’s not something that people may say, oh, I only need to care about HR. 


I only need to care about marketing, or I only, this is kind of across the entire business, a lot more demanding, and this is my opinion. So I kind of put some scale on some of the, I guess, biggest opportunities as well in this space. It’s really frustrating. I imagine just the amount of pressure that goes into. 


But do you feel there are opportunities in this space as well? That are not yet? I guess not spoken about, I guess. Yeah. 


Sean Catlett: I think we have a lot of folks who they’re in those roles. Like not to just go get beaten down [00:23:00] by all the challenges. Right. But they’re really still trying to, I think change the role into what I would say is an effective and actual C-level. 


Right. I think it’s got the title, but I think you’ll find a lot of times that the title is actually leveled in a different place than the organization may not have the impact that you would expect as other C-level titles. And so I still think there’s a bit to be earned there. But I think that you earn that by being an enabler of the business. 


And actually I had another peer of mine. Who was actually initially hired and works for the CEO of this company. And so you ask them, what’s the difference of working for the CEO versus a CTO. And his answer was still so impactful for me. And I think others, which is, , he’s helping the business at the point where those business decisions are being made to think through and to carve out where the business is going. 


Versus the, , usually second or third order effect of the businesses decided a thing. They didn’t decide to technology. And then they come to the security team and they say, Hey, can you help me to secure? And so I think shifting the role to be one, that one, we have to be able to be business leaders to be at that table. 


You can’t just say, Hey, I want to be here. I have [00:24:00] the title. And we can get into all of that with what’s happening with sec and putting people on boards from our industry and things like that. But. I think that, , it is something that has to be earned to be able to offer that type of advice, which I think just compounds, imposter syndrome across the board to then be that level of business leader, to be able to translate that across all those functions that you mentioned really, really. 


Ashish Rajan: Yeah, I think that’s probably the harder piece. Cause you kind of have to understand almost like you’re running a business because you have to, I just have HR problems, marketing problems, sales problems as well sometimes. So it sounds like a very, a to quote you earlier well-rounded role as well for people who may be listening to this and going, oh. 


What kind of skills do I think we mentioned about the technical skills, but what about the kind of soft skills are required for such a role? Cause I think we kinda mentioned the technical roles for a cloud supply chain, having a knowledge of that, but are there any other specific skill set that people should kind of have in mind? 


And I’m going to take a leave from DARPA’s question as well. People who may be listening to this going, oh, I want to be a CISO one day. But with smart technical person, a of [00:25:00] Cordell is like this, whoever this person is like he, or she maybe like no super gun at like a certification or downside of things. 


What are some of the other skillsets that they should think about and are working in that space? Cause they might just be working in say Cloud security at the moment, but they have their eyes on something like a CISO role. What would your advice be to somebody? 


Sean Catlett: First of all, just recognizing that it’s one of the few roles that you have, like people actively trying to destroy the things that you create and your job. 


So if that’s what , you’re in for, , just, you don’t see that challenge across a lot of the other disciplines. When you think of, , sales, marketing, it’s all metaphorical or business, right. And this is kind of actual I think turning to some of the skills and, and I, , I try not to. 


Flipping around these actually really believe these are important to cultivate that sense of curiosity. Cultivating curiosity and remaining current is extremely important. Things move so quickly. And like you said, you were responsible for the oversight and the way to kind of translate very large changes in businesses, technology, et cetera, into manageable and meaningful plans that also takes leadership skills, the ability to build [00:26:00] relationship. 


Look at your peer groups and understand some of their challenges. And, , I think a humility around that, that you’re not going to have the answer for both for your team and for others. No, I think the toughest skill and I don’t know where you learn this. I think I have some, the things I do like personally, I play a lot of games and so, , I feel like you, you kind of have to learn to, to lose and like pick yourself up and then turn, turn that around because there are going to be things that are just, they’re not. 


, there’s no good decision except making one right then. And then, , working towards closing or solving a risk because it’s something that you didn’t do it, you didn’t create the vulnerability, , it’s, it’s there, , I have to go deal with that. And that can feel tough when , your role is to make sure that things are secured or at least appropriately risk managed. 


So I think. Playing games and really understanding and like kind of working through like the current state of the industry whether it be like capture the flag type things or are those, I think they’re all really important skills to think that through. And , when I like take a massive step back and try to say like, how. 


What got me here. I don’t think there’s one thing except just absolute passion for [00:27:00] the space. Find your thing and then hold onto that and then try to find the companies that really need that thing. So, and for me, it’s always been things like threatened. And I’ve got a passion for threat detection and privacy. 


And so it’s like find places where that’s like the core of where, what they need, and then you’ll always be excited on what you’re working on. 


Ashish Rajan: Oh, that’s a good point. I think cause also because it kind of ties in really well to what we were talking about, understanding the business that you’re trying to work in as well. 


You, you may not have all the other background, but just because the company you may work for has a strong focus on privacy and You could be the best CISO out there because you understand the space and you can bring more leadership, but that as well. So it’s pretty well, very well put in a final question on this, considering we are talking about. 


The future of people who are trying to get into the CISO space as well from a cybersecurity industry perspective. And we just recently did RSA, where do you see for the rest of the 2022? And maybe for a couple of years after that as well. Where do you see the cybersecurity industry focus on and what some of the teams that you might have thought, Hey, what? 


This might be something that people would talk more. 


Sean Catlett: Well think if you, I mean, [00:28:00] taking a massive , zoom out first. I think that just recognizing that , just the attack surface is growing so rapidly, like it’s just the knowing that we’re going to have to have things that better, , document and collect information and make sure that we know the environments that we’re there to protect. 


I think that’s going to be extremely important. I think that there’s also just a lack of. We have a lot of things which are I think you can take newer technologies, but apply them to older problems and really get some real results. But they are like the fundamentals for the industry. And I think we need to continue to focus there versus like the new shiny and obviously skills. 


That’s going to be really important. But , when I think through the things that I I’m really intrigued by, so , I love attack simulation. I just think that the ability to actually prove what you have, whether it’s automated attack simulation, some of those technologies or red team, or enabled red team technologies and capabilities with teams, , that proving security , is just so important. 


And I think that’s something that our businesses really wants. And , when you don’t have things going bump in the night , you feel like things are locked up, you’re doing well, having that capability to [00:29:00] kind of wake you up and also let you really test your, your capabilities is really important. 


I guess last for me is I’m personally really interested , in graph technologies as applied to security problems, because I think mapping out those relationships just help you communicate to the business and help you better prioritize. But there definitely again, now you’re getting into the shortages of shortages of people with those skills. 


That are leveraging those skills in the security domain and even like products in that space. So I think it’s, again, it’s super challenging for us to make sure that we have people with the right skills to achieve what we’re trying. 


Ashish Rajan: Yeah. Awesome. And I think, well put together as well. Cause you almost feel attack service management was definitely a theme and the other one being, I guess, just the skills required to even get behind this as well. 


Cause the thing to point graph, QL, all the other new names people heard now, suddenly the security folks are expected to understand that and work with it as well. You can’t. So the paradigm is already shifting from being just a cloud person to now, Hey, I need to know graph key or whatever. 


Sean Catlett: That’s right. 


Yeah. And, , and then you’re imagining all the different data site data types that are probably in those systems just currently in [00:30:00] non-security focused, realms for what those do. And then trying to bring that in make sense of it, secure that while trying to say like, can we actually apply that to how we gain better understanding as an industry around the relationships between systems and data vulnerabilities, that system and its owner and those types of problems that become so challenging. 


Ashish Rajan: Yeah, no great point. And I think I’ve got a comment here from Barbara for education as well. I think it’s a cynical divergence academy works with veterans through government grants. They go, there’s a people that go her dad divergence academy for veterans to get into a Cloud security. Awesome. Appreciate your time on the Sean. I appreciate you. Sharing of knowledge. Where can people find you to connect with you and maybe I guess having to, if people, whoever has follow up questions, where can they find you on social, 


Sean Catlett: LinkedIn that’s, that’s going to be the best for, for me. 


Generally don’t do too much on Twitter. And I’ve obviously worked at Reddit. So I, I I’ve used those for more receiving of things. So yeah, I mean, I do I’m on Twitter if people want to to ping me there, but LinkedIn probably to get your chance of. 


Ashish Rajan: Awesome. I’ll [00:31:00] leave that bio in the show notes as well, but thank you so much for this, Sean. 


I really appreciate it. And I’m glad we got to meet in person as long before we got together. 


But yeah, thanks so much for coming in, man. I appreciate this. And I’m looking forward to having you again one day. Absolutely. No, thank you. Thanks everyone else. We’ll see you on the next weekend’s episode. See ya.

More Videos